Zip-Slip Vulnerability in HashiCorp's go-slug Library
CVE-2025-0377
7.5HIGH
Summary
HashiCorp's go-slug library is susceptible to a zip-slip attack, allowing an attacker to manipulate file paths during extraction from tar entries. When a user provides a path that doesn't exist, it can be exploited to write to unintended file locations, potentially compromising system integrity. It is essential for users of the go-slug library to address this risk by validating paths and ensuring secure extraction processes.
Affected Version(s)
Shared library 64 bit 0 < 0.16.2
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved